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CLAIMS 

I; Method designed to prove to a controller entity. 

- the authenticity of an entity and/or 

5 " the integrity of a message M associated with this entity, 

by means of all or part of the private values Q„ Q,, ... and public values G„ G„ 

... m being greater than or equal to 1 1 , or of the parametera derived from these 
values, 

- a public modulus n constituted by the product of f prime factors pi, p^, ... 
10 pr, f being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

Gi . Qi'' s 1 . mod n or Gi^Qi'^mod n; 
V designating a public exponent such that 

v = 2<« 

where k is a security parameter greater than 1 ; 

said public value G, being the square g,^ of a base number g, smaller than the f 
prime factors p„ p^, „. p, ; the base number g, being such that the following two 
conditions are met: 
20 neither of the two equations; 

z^^gimodn and x^^-gimodn 
can be resolved in x in the ring of integers modulo n 
the equation: 

x*agi*modn 
can be resolved in x in the ring of the integers modulo n; 
said method implements, in xhe following steps, an entity called a witness having f 
prime factors p, and/or parameters of the Chinese remainders of the prime factors 
and/or the public modulus n and/or the m private values Q| and/or the f.m 
components Q,j (Q,,^^ q. ^od p^ of the private values Q.and of the public 
30 exponent v; 



25 
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- the witness computes commitments R in the ring of the integers modulo n; 
each commitment being computed: 

• either by performing operations of the type: 

R s r' mod n 
where r is a random value such that 0 < r< n. 



' or 



« • by performing operations of the type: 
Risn'mod Pi 

where rj is a random value associated with the prime number pi such that 0 < r, < pj, 
10 each r; belonging to a collection of random values {r, , rj , . r,}, 
• • then by applying the Chinese remainder method; 
- the witness receives one or more challenges d, each challenge d comprising 
m integers d, hereinafter called elementary challenges; the witness, on the basis of 
each challenge d, computes a response D, 

• either by performing operations of the type: 

D = r.Q, '".Q2"....Q„**"modn 



' or 

• « 



by performing operations of the type: 

Di * ri . Qw . Qw ... Qi^"" mod p; 
• • and then by applying the Chinese remainder method; 
said method being such that there are as many responses D as there are challenges d 
as there are commitments R, each group of numbers R, d, D forming a triplet 
referenced {R, d, D}. 

— 2. Method according to claim 1, designed to prove the authenticity of an 
entity known as a demonstrator to an entity known as the controller, said 
demonstrator entity comprising the witness; 
said demonstrator and controller entities executing the following steps: 
• Step 1: act of commitment R 

at each call, the witness computes each commitment R by applying the 
30 process specified in claim 1, 
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the demonstrator sends the csontroller all or part of each commitment R, 
•Step 2: act of challenged 

- the controller, after having received all or part of each commitment R, 
produces challenges d whose number is equal to the number of commitments R and 

5 sends the challenges d to the demonstrator, 
•Step 3: act of response D 

- the witness computes the responses D from the challenges d by applying the 
process specified in claim 1, 

« Step 4: act of checking 
10 - the demonstrator sends each response D to the controller, 

case where the demonstrator has transmitted a part of each commitment R 
if the demonstrator has transmitted a part of each commitment R, the controller, 
having the m public values G2, G^u, computes a reconstructed commitment 
R', from each challenge d and each response D, this reconstructed commitment R' 
15 satisfying a relationship of the type 

R' s Gi , G2 , Gm . DV mod n 
or a relationship of the type 

R' s Dv/Gi dl . G2 d2 . ... g^ dm , „od n 
the controller ascertains that each reconstructed commitment R' reproduces all or 
20 part of each commitment R that has been transmitted to it. 

case where the demonstrator has transmitted the totality of each commitment R 
if the demonstrator has transmitted the totality of each commitment R, the controller, 
having the m public values Gi, G2, ascertains that each commitment R 
satisfies a relationship of the type 
25 Rs Gi dl . G2 d2 , „. Gm . DV mod n 

or a relationship of the type 

R s Dv/Gi dl . G2 d2 . „, Gm dm . mod n 

^ 3. Method according to claim 1, designed to provide proof to an entity, 

known as the controller entity, of the integrity of a message M associated with an 
30 entity called a demonstrator entity, said demonstrator entity comprising the witness; 
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said demonstrator and controller entities executing the following steps: 
•Stepl: act of commitment R 

- at each call, the witness computes each commitment R by applying the process 
specified according to claim 1, 

5 • Step 2; act of challenged 

- the demonstrator applies a hashing function h whose arguments are the message M 
and all or part of each commitment R to compute at least one token T, 

- the demonstrator sends the token T to the controller, 

- the controller, after having received a token T, produces challenges d equal in 
10 number to the number of commitments R and sends the challenges d to the 

demonstrator, 

•Step 3: act of response D 

- the witness computes the responses D from the challenges d by applying the 
process specified according to claim 1, 

1^ « Step 4: act of checking 

- the demonstrator sends each response D to the controller, 

- the controller, having the m public values Gi, G2, Gm, computes a 
reconstructed commitment R', from each challenge d and each response D, this 
reconstructed commitment R' satisfying a relationship of the type 

20 R'«Gidl.G2<*2..„Gmdni^DVniodn 

or a relationship of the type 

R'sDVGi dl.G2«.».Gn,dm.modn 

- then the controller applies the hashing function h whose arguments are the message 
M and all or part of each reconstructed commitment R' to reconstruct the token T', 

25 ' then the controller ascertains that the token T' is identical to the token T 
transmitted. 

^,1- Method according to claim 1, designed to produce the digital signature of 
a message M by an entity knovm as the signing entity, said signing entity comprising 
the witness; 
30 Signing operation 
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said signing entity executes a signing operation in order to obtain a signed message 
comprising: 

- the message M, 

- the challenges d and/or the commitments R, 
5 - the responses D; 

said signing entity executes the signing operation by implementing the following 
steps: 

• Step 1 : act of commitment R 

- at each call, the witness computes each commitment R by applying the process 
10 specified according to claim 1, 

•Step 2: act of challenged 

- the signing party applies a hashing function h whose arguments are the message M 
and each commitment R to obtain a binary train, 

- from this binary train, the signing party extracts challenges d whose number is 
1 5 equal to the number of commitments R, 

* Step 3: act of response D 

- the witness computes the responses D from the challenges d by applying the 
process specified according to claim 1. 

1 Method according to claim 4. designed to prove the authenticity of the 

message M by checking the signed message through an entity called a controller; 
Checking operation 

- said controller entity having the signed message executes a checking operation by 
proceeding as follows: 

• case where the controUer has commitments challenges d, responses D 
25 if the controller has commitments R, challenges d, responses 

- • the controller ascertains that the commitments R, the challenges d and the 
responses D satisfy relationships of the type 

R s Gi dl , d2 . .^^ Gm dm ^ Dv mod n 
or relationships of the type 

R s Dv/Gi <il . G2 d2 ^ Gm . mod n 
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• • the controller ascertains that the message the challenges d and the 
commitments R satisfy the hashing function: 

d h (message, R) 

• case where the controller has challenges d and responses D 
5 if the controller has challenges d and responses D, 

• • the controller reconstructs, on the basis of each challenge d and each 
response D, conmiitments R' satisfying relationships of the type 

R* s d dl . G2 ^2 . ... ^™ • mod n 
or relationships of the type: 
10 R'-Dv/Gidl,G2d2....Gm<*'".modu 

• • the controller ascertains that the message M and the challenges d satisfy 
the hashing function: 

d = h (message, R*) 

• case where the controller has commitments R and responses D 
15 if the controller has commitments R and responses D, 

• • the controller applies the hashing function and reconstructs d' 

d' = h (message, R) 

• • the controller device ascertains that the commitments R, the challenges d* 
and the responses D satisfy relationships of the type 

20 R s Gi ^'l.G2^'2 ^ _ ^ mod n 

or relationships of the type: 

R ^ Dv/Gi d'l . G2 . ... g^, d'm . ^od n 

6. A system designed to prove, to a controller server, 

- the authenticity of an entity and/or 

25 - the integrity of a message M associated with this entity, 

by means of: 

- m pairs of private values Q„ Qj, ... Q„ and public values Gj, Gj, ... G„, m 
being greater than or equal to 1, or parameters derived from these values, 

- a public modulus n constituted by the product of said f prime factors pi, p2, 
30 , pf, f being greater than or equal to 2, 
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said modulus and said values being linked by relations of the type 
G,. Qi* s 1 . mod n or Gi a Qi* mod n . 
V designating a public exponent such that 

where k is a security parameter greater than 1; 

said public value G, being the square gj' of the base number gj smaller than the 
f prime factors p„ pj, p„ the base number g; being such that the following 
conditions are met: 

neither of the two equations: 

x^sgimodn and x^ = -gjmodn 
can be resolved in x in the ring of integers modulo n 
the equation: 

X* B mod n 
can be resolved in x in the ring of the integer? modulo n; 

said system comprises a witness device, contained especially in a nomad object 
which, for example, takes the form of a microprocessor-based bank card, 
the witness device comprises 

- a memory zone containing the f prime fectots p, and/or the parameters of the 
Chinese remainders of the prime factors and/or the public modulus n and/or the m 
private values Q. and/or f.m components Q„, (Q^^ ^ Q, mod pj) of the private values 
Qi and of the public exponent v; 

said witness device also comprises: 

- random value production means, hereinafter called random value production 
means of the witness device, 

' computation means, hereinafter called means for the computation of 
commitments R of the witness device, to compute commitments R in the ring of 
integers modulo n; each commitment being computed: 
• either by performing operations of the type; 

R = r" mod n 

where r is a random value produced by the random value production means, r being 
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such that 0<r<n, 

• or by perfoiming operations of the type: 

RiBn^modpi 

where ri is a random value associated with the prime number p, such that 0 < n < pi, 
5 each n belonging to a collection of landom values {r, , rj , . r,} , then by applying 
l])e Chinese remainder method; 
said witness device also comprises: 

- reception means hereinafter called the means for the reception of the 
challenges d of the witness device, to receive one or more challenges d; each 

10 challenge d comprising m integers d, hereinafter called elementary challenges; 

- computation means, hereinafter called means for the computation of the 
responses D of the witness device for the computation, on the basis of each challenge 
d, of a response D, 

• either by perfonning operations of the type; 

" I> = r.Q,'".Q2'°..„Q„«'-"mddn 

• or by performing operations of the type: 

D, = r, . Qi,t « . « ... Qi^""- mod p, 
and then by applying the Chinese remainder method, 

- transmission means to transmit one or more commitments R and one or 
20 more responses D; 

tfiere are as many responses D as there are challenges d as there are commitments R, 
each group of numbers R, d, D forming a triplet referenced {R, d, D}. 
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7. (Twice Amended) A system according to claim 6, designed to prove the 
authenticity of an entity called a demonstrator and an entity called a controller, 
said system being such that it comprises: 

- a demonstrator device associated with the demonstrator entity, said demonstrator 
device being interconnected with the witness device by interconnection means and 
possibly taking the form especially of logic microcircuits in a nomad object, for example 
the form of a microprocessor in a microprocessor-based bank card, 

- a controller device associated with the controller entity, said controller device 
especially taking the fonn of a terminal or remote server, said controller device 
comprising connection means for its electrical, electromagnetic, optical or acoustic 
connection, especially throug^i a data-processing communications network, to the 
demonstrator device; 

said system enabling the execution of the following steps: 

• Stepl: act of commitment R 
at each call, the means of computation of the conmiitments R of the witness device 
compute each commitment R by ^plying the method designed to prove to a controller 
entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qu Q2» Qm and public values Gz, . - - 
Gm, m being greater than or equal to 1 1 , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors Pi, pz, Pf» f 
being greater than or equal to 2; 
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said modulus, said exponent and said values being related by relations of the 
following type 

Gi , Qi"' s 1 * mod n or Gi = Qi^'mod n; 
V designating a public exponent such that 

v = 2'^ 

where k is a security parameter greater than 1 ; 

said public value G| being the square gi^ of a base number gi smaller than the f 
prime factors pi, p2, ... pr ; the base number gi being such that the following two 
conditions are met: 
neither of the two equations: 

x^sgimodn and x^s-gimodn 
can be resolved in x in the ring of integers modulo n 
the equation: 

x"" a gi^ mod n 
can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime 
factors Pi and/or parameters of the Chinese remainders of the prime factors and/or the 
public modulus n and/or the m private values Qi and/or the f.m components Qi, j (Qi, j a 
Qi mod pj) of the private values Qi and of the pubhc exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R^r'' mod n 
where r is a random value such that 0 < r < n, 
• or 

♦ • by perfonning operations of the type: 

Ri bs mod Pj 

where n is a random value associated with the prime number pi such that 0 < n < pi, each 
ft belonging to a collection of random values {ri , , rf}, 

• • then by applying the Chinese remainder method; 
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- the witness receives one or more challenges each challenge d comprising m 
integers di hereinafter called elementary challenges; the witness, on the basis of each 
challenge d, computes a response D, 

• either by perfonning operations of the type; 

Dsr.Qi ''^Q2*"--..Qm"" modn 

• or 

• • by performing operations of the type: 

Di = n . Qu . Qi^ mod Pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers D forming a triplet referenced {R, 

where as the witness device has means of transmission, hereinafter called the 
transmission means of the witness device, to transmit all or part of each commitment R to 
the demonstrator device through the interconnection means, 

the demonstrator device also has transmission means, hereinafter called the transmission 
means of the demonstrator, to transmit all or part of each commitment R to the controller 
device throu^ the connection means; 

• Step 2: act of challenge d 

the controller device comprises challenge production means for the production, after 
receiving all or part of each conamitment R, of the challenges d equal in number to the 
number of commitments R, 

the controller device also has transmission means, hereinafter known as the transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means. 

« Step 3: act of response D 
the means of reception of the challenges d of the witness device receive each challenge d 
coming from the demonstrator device through the interconnection means, 
the means of computation of the responses D of the witness device compute the responses 
P fiom the challenges d by applying the method designed to prove to a controller entity. 
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- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q2» ..- Qm and pubhc values Gi, G2, 
Gmi m being greater than or equal to 1 1 , or of the parameters derived from these values, 

- a public modxxlus a constituted by the product of f prime factors pi, p2i ... Pr, f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

Gi . Qr =1 - mod n or Gi s Qi"" mod n; 
V designating a public exponent such that 

v = 2'' 

where k is a security parameter greater than 1 ; 

said public value G| being the square of a base number gi smaller than the f 
prime factors pi, p2» Pr ; the base number g; being such that the following two 
conditions are met: 
neither of the two equations; 

x^^gimodn and x^^-gimodn 
can be resolved in x in the ring of integers modulo n 
the equation: 

x^ = gi^ mod n 
can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime 
factors Pi and/or parameters of the Chinese remainders of the prime factors and^or the 
public modulus n and/or the m private values Qi and/or the tm components Qi, j (Qi, j 5 
Qi mod pj) of the private values Qj and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type; 

R^i' mod n 
where r is a random value such that 0 < r < n, 
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•or 

• • by perfonning operations of the type: 

Rj a ri^ mod Pi 

where r| is a random value associated with the prime number pi such that 0 < n < pi, each 
ri belonging to a collection of random values {ri , ri , rj, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m 
integers d| hereinafter called elementary challenges; the witness, on the basis of each 
challenge d, computes a response D, 

• either by perfonning operations of the type; 

» = r , Q, Q2 ... Q„ mod n 

• or 

• • by perfonning operations of the type; 

D| s n . Qi,i . Q,^ Qi,„ mod pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers d, D forming a triplet referenced {R^ 
d,Dh 

■ Step 4: act of checking 

the transmission means of the demonstrator transmit each response D to the controller, 
the controller device also comprises; 

- computation means, hereinafter called the computation means of the controller 

device, 

- comparison means, hereinafter called the comparison means of the controller 

device, 

case where the demonstrator has transmitted a part of each commitment R. 

if the transmission means of the demonstrator have transmitted a part of each 
commitment R, the computation means of the controller device, having m public values 
Gi, G2, Gm* compute a reconstructed commitment R', from each challenge d and 
each response D, this reconstructed commitment R' satisfying a relationship of the type 
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R' s Gi <»1 . G2 <*2 , „. Gm dra . mod n 

or a relationship of the type 

R* = DV/Gi dl .02^2, Gn, d™ ■ mod n 

the comparison means of the controller device compare each reconstructed commitment 
R' with ail or part of each commitment R received, 

case where the demonstrator has transmitted the totality of each commitment R 

if the transmission means of the demonstrator have transmitted the totality of each 
commitment R« the computation means and the comparison means of the controller 
device, having m public values Gj, G2, Gm, ascertain that each commitment R 
satisfies a relationship of the type 

R s Gi dl . G2 d2 . .„ Gm dm . mod n 
or a relationship of the type 

R - DVGi dl . G2 d2 . ... g^ d»n . mod n 

8. (Twice Amended) System according to claim 6, designed to give proof to an 
entity, known as a controller, of the integrity of a message M associated with an entity 
known as a demonstrator^ 
said system being such that it comprises 

- a demonstrator device associated with the demonstrator entity, said demonstrator 
device being interconnected with the witness device by intercoimection means and 
possibly taking the form especially of logic microcircuits in a nomad object, for example 
the form of a microprocessor in a microprocessor-based bank card, 

- a controller device associated with the controller entity, said controller device 
especially taking the form of a terminal or remote server, said controller device 
comprising connection means for its electrical, electromagnetic, optical or acoustic 
connection, especially through a data-processing communications network, to the 
demonstrator device; 

said system enabling the execution of the following steps: 
• Step 1: act of commitment R 
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at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the method designed to prove to a controller 
entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q2, Qm and public values Gi, G2, 
Gm, m being greater than or equal to 1 | , or of the parameters derived from these values. 

- a public modulus n constituted by the product off prime factors pi, P2> Pr, f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

Gi. Qi"" s 1 . mod n or Gi s Qi^'mod n; 
v designating a public exponent such that 

v = 2'' 

where k is a security parameter greater than 1; 

said public value G| being the square gi^ of a base number gi smaller than the f 
prime factors pi, pi? pr ; the base nxunber gi being such that the following two 
conditions are met: 
neidier of the two equations: 

x^^gimodn and x^s-gintodn 
can be resolved in x in the ring of integers modulo n 
the equation: 

x'' ^ gi^ mod n 
can be resolved in x in the ring of the integers modulo d; 

said method implements, in the following steps, an entity called a witness having f prime 
factors pi and/or parameters of the Chinese remainders of the prime factors and/or the 
public modulus n and/or the m private values Qi and/or the f.m components Qi,j (Qi,j ^ 
Qi mod Pj) of the private values Qi and of the public exponent v; 

- the witness computes conunitments R in the ring of the integers modulo n; each 
commitment being computed: 
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• either by perfoiming operations of the type: 

R s mod n 
where r is a random value such that 0 < r < q, 

• or 

• • by perfonning operations of the type: 

R; = Ti' mod pi 

where n is a random value associated with the prime number pi such that 0 < ti < pi, each 
n belonging to a collection of random values {ri , rj , ... rr}, 

• • then by ^plying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m 
integers d) hereinafter called elementary challenges; the witness, on the basis of each 
challenge computes a response D» 

• either by performing operations of the type: 

D = r . Qi . „ Q„ mod n 

•or 

• • by perfonning operations of the type: 

Di = fi - Qi,, . Qi,2 ... Qi.m mod p, 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are conunitments R, each group of numbers R, d, D forming a triplet referenced {R, 
d,D}, 

where as the witness device has transmission means, hereinafter called transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means, 

• Step 2: act of challenge d 

the demonstrator device comprises computation means, hereinafter called the 
computation means of the demonstrator, applying a hashing fiinction h whose arguments 
are the message M and all or part of each commitment R to compute at least one token T, 
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the demonstrator device also has transmission means, hereinafter known as the 
transmission means of the demonstrator device, to transmit each token T through the 
connection means to the controller device, 

the controller device also has challenge production means for the production, after having 
received the token T, of the challenges d in a number equal to the number of 
commitments R, 

the controller device also has transmission means, hereinafter called the transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means; 

• Step 3: act of response D 
the means of reception of the challenges d of the witness device receive each challenge d 
coming from the demonstrator device through the interconnection means, 
the means of computation of the responses D of the witness device compute the responses 
D from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q2, Qm and public values G], G2, ... 
Gjni m being greater than or equal to 1 1 , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, P2, ... Pf, f 
being greater than or equal to 2] 

said modulus, said exponent and said values being related by relations of the 
following type 

Qr= 1 . mod n or Gi Si Qi^'mod n; 
V designating a pubUc exponent such that 

v=2'' 

where k is a security parameter greater than 1; 

said public value G\ being the square gi^ of a base number gi smaller than the f 
prime factors pi, pi, pf ; the base number gi being such that the following two 
conditions are met: 
neither of the two equations: 
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x^sgimodn and x^^-gitnodn 
can be resolved in x in the ring of integers modulo n 
the equation: 

X* H gi^ mod n 

can be resolved in x in the ring of the integers modulo a; 

said method implements, in the following steps, an entity called a witness having f prime 
factors Pi and/or parameters of the Chinese remainders of the prime factors and/or the 
public modulus n and/or the m private values Q\ and/or the f.m components Qi, j (Qi, j = 
Qi mod pj) of the private values Qi and of the public exponent v; 

- the witness computes oommitments R in the ring of the integers modulo n; each 
commitment being computed; 

• either by perforaiing operations of the type: 

R is r'' mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by perfonning operations of the type: 

Ri ~ mod p, 

where ri is a random value associated with the prime number pi such that 0 < n < pi, each 
T\ belonging to a collection of random values , ri , rf}, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m 
integers di hereinafter called elementary challenges; the v^dtness, on the basis of each 
challenge d, computes a response D, 

• either by performing operations of the type: 

D B r . Q, Qi ^\ ... Q„ mod n 

• or 

• • by perfonning operations of the type: 

D| = ri . Qi^i . Qi,i ... Qi.m mod pi 

• • and then by applying the Chinese remainder method; 
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said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers R, d, D fbmiing a triplet referenced {R, 
d, D}, 

" Step 4: act of checking 

the transmission means of the demonstrator transmit each response D to the controller, 
the controller device also comprises computation means, hereinafter called the 
computation means of the controller device, having m pubhc values Gj, G2, Gm, to 
firstly compute a reconstructed commitment R', &om each challenge d and each response 
D, this reconstructed commitment R' satisfying a relationship of the type 

R' s Gi . G2 , „. Gm . DV mod u 
or a relationship of the type 

R' ^ DV/Gi dl . G2 d2 . ... , mod d 

then, secondly, compute a token T' by applying the hashing function h having as 
arguments the message M and all or part of each reconstructed commitment R', 
the controller device also has comparison meanSi hereinafter known as the comparison 
means of (he controller device, to compare the computed token T' with the received 
token T, 

9, ( Twice Amended) System according to claim 6, designed to produce the digital 
signature of a message M, hereinafter known as the signed message> by an entity called a 
signing entit>^ 

the signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 
Signing operation 

said system being such that it comprises a signing device associated with the signing 
entity, said signing device being interconnected with the witness device by 
interconnection means and possibly taking the form especially of logic microcircuits in a 
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nomad object, for example the form of a microprocessor in a microprocessor-based bank 
card, 

said system enabling the execution of the following steps: 

• Step 1: act of commitmeut R 

at each call, the means of computation of the conmiitment$ R of the witness device 
compute each commitment R by applying the method designed to prove to a controller 
entity, 

* the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qt, Q2, ... Qm and public values d, ... 
Gm, m being greater than or equal to 1 1 , or of the parameters derived from these values, 

- a public modulus n constimted by the product of f prime factors pi, pj, ... pr, f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

Gi * Qi^ » 1 1 mod n or Gi ■ Qi"" mod &; 
V designating a pubUc exponent such that 

v = 2^ 

where k is a security parameter greater than 1 ; 

said public value Gt being the square of a base number & smaller than the f 
prime factors pi, P2» Pr ; the base number gi being such that the following two 
conditions are met: 
neither of the two equations: 

K gi mod n and s - gi mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x^ = gi^ mod n 
can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime 
factors Pi and/or parameters of the Chinese remainders of the prime factors and/or the 
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public modulus n and/or the m private values Qi and/or the Lm components Ql,j (Qi, j ^ 
Qi mod pj) of the private values Qi and of the public eTqsonent v; 

- the witness computes comniitments R in the ring of the integers modulo n; each 
conunitment being computed: 

• either by perfonning operations of the type: 

R = mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Rs ^ mod Pi 

where ri is a random value associated with the prime number pi such that 0 < ri < pj, each 
r| belonging to a collection of random values {ri > r2 , ... ff}, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m 
integers ds hereinafter called elementary challenges; the witness, on the basis of each 
challenge d, computes a response D, 

• either by perfonning operations of the type: 

D = r . Q, Q2 » . ^" mod D 

• or 

• • by performing operations of the type: 

Di s n . Qi^i . Q|^3 ^. Qi^m mod pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers R, d, D forming a triplet referenced {R, 
d,D}, 

where as the witness device has means of transmission, hereinafter called the 
transmission means of the witness device, to transmit all or part of each conunitment R to 
the demonstrator device through the interconnection means, 

• Step 2: act of challenge d 
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the signing device comprises computation means, hereinafter called the computation 
means of the signing device, flying a hashing function h whose arguments are the 
message M and all or part of each commitment R to compute a binary train and extract, 
from this binary train, challenges d whose number is equal to the number of 
commitments R, 

•Step 3: act of response D 
the means for the reception of the challenges d of the witness device receive each 
challenge d coming from the signing device through the interconnection means, 
the means for computing the responses D of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qu Qij Qm and public values Gi, Gi, 
Gm, m being greater than or equal to 1 1 , or of the parameters derived from these values. 

- a public modulus n constituted by the product of f prime factors pi, pi, pr, f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

Gi . or = 1 . mod n or G| a Q,^ mod n; 

v designating a pubhc exponent such that 

v = 2'' 

where k is a security parameter greater than 1 ; 

said public value G-, being the square gi^ of a base number gi smaller than the f 
prime factors pi, P29 pr ; the base number gj being such that the following two 
conditions are met: 
neither of the two equations: 

s gi mod n and ^ - gi mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x'' s gi^ mod n 



10/18/2004 14:20 FAX G123329081 



MERCHANT 8( GOULD 



21024/047 



can be resolved in x in the ring of the mtegers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime 
factors pi and/or parameters of the Chinese remainders of the prime factors and/or the 
public modulus n and/or the m private values Qi and/or the f.m components Qi, j (Qi, j ■ 
Qi mod pj) of the private values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R»r^modn 
where r is a random value such that 0 < r < 
•or 

• • by performing operations of the type: 

Ri s mod p\ 

where ri is a random value associated with the prime number pi such that 0 < ri < pi, each 
t\ belonging to a collection of random values {r^ , r2 , rr}» 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m 
integers di hereinafter called elementary challenges; the witness, on the basis of each 
challenge d, computes a response 

* either by perf onning operations of the type: 

• or 

• • by perfomung operations of the type: 

Di a n . Qi4 . Qi^ Qi^ mod pi 
• « aiul then by applying the Chinese remainder method; 
said method being such that there are as many responses D as there are challenges d as 
there are commitments each group of numbers R, D forming a triplet referenced {R, 

where as the witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device 
through the interconnection means. 
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^0- System according to claim 9, designed to prove the authenticity of the 
message M by checking the signed message by means of an entity called die 
controller. 

Checking operation 

the system being such thai it comprises a controller device associated with the 
controller entity, said controller device especially taking the form of a terminal or 
remote server, said controller device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially dirough a data-processing 
comm\inications network, to the signing device; 

the signing device associated with the signing entity comprises transmission means, 
hereinafter known as the transmission means of the signing device, for the 
transmission, to the controller device, of the signed message through the connection 
means, in such a way that the controller device has a signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses 

the controller device comprises: 

- computation means hereinafter called the computation means of the 
controller device, 

- comparison means, hereinafter called the comparison means of the 
controller device, 

• case where the controller device has commitments R, challenges d, responses D 
if the controllOT has commitments R, challenges d, responses D, 

• • the computation and comparison means of the controller device ascertain 
that the commitments R, the challenges d and the responses D satisfy relationships of 
the type 

RsGi <'^.G2<*2.,„Gi„ <»'n-DVmodn 

or relationships of the type: 

R - DVGi . G2 d2 . ... * mod n 
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• • the computation and comparison means of the controller device a5certain 
that the message M, the challenges d and the commitments R satisfy the hashing 
function: 

d h (message, R) 

• case where the controller device has chaUenges d and responses D 
if the controller device has challenges d and responses D, 

• • the computation means of the controller, on the basis of each challenge d 
and each response D, compute commitments R^ satisfying relationships of the type 

s Gi dl . G2 , ... Gm ^™ . DV mod n 
or relationships of the type: 

R' s Dv/Gi dl . Gj 52 , ^.^ g„, dm . mod n 

• • the computation and comparison means of the controller device ascertain 
that the message M and the challenges d satisfy the hashing function: 

d = h (message, R') 

• case where the controUer device has commitments R and responses D 
if the controller device has commitments R and responses D, 

• • the computation means of the controller device apply the hashing function 
and compute d' such that 

d* = h (message, R) 

• • the computation and comparison means of the controller device ascertain 
that the commitments R, the challenges d' and the responses D satisfy relationships 
of the type 

R^ Gi d'l , G2 . d'm . ^v mod n 

or relationships of the type: 

R ^ Dv/Gi d4 . G2 . G^ ^'m . mod n 
_ f^ ' A terminal device associated with an entity, taking the form especially of 
a nomad object, for example the fonn of a micrx)processor in a microprocessor-based 
bank card, designed to prove to a controller server: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity; 
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by means of : 

. m pairs of private values Q„ Q^, Q„ and public values G,. Gj, m 
being greater than or equal to 1, or parameters derived from these values, 

' a public modulus i» ronstiluted by the product of said f prime factors pj, pj, 
... Pf (f being greater than or equal to 2), 

said modulus and said values being related by relations of the type 

G, . Qi^ s 1 . mod n or G| K Q^"" mod n . 
V designating a public exponent such that 

V = 2** 

where k is a security parameter greater than 1 . 

said public value Gi being the square gj^ of the base number gj smaller than the f 
prime factors pi, P2, Pf, the base number gi being such that; 

neither of the two equations: 

= gi mod n and = - gi mod n 
can be resolved in x in the ring of integers modulo □ 

the equation: 

s gj^ mod n 

can be resolved in x in the ring of the integers modulo n, 
said terminal device comprises a witness device comprising, 

- a memory zone containing the f prime factors pi and/or the parameters of the 
Chinese remainders of the prime factors and/or the public modulus n and/or the m 
private values Qj and/or tm components Qj, j (Q,, j = Qj mod of the private values 
Qi and of the public exponent v. 

said witness device also comprises: 

- random value production means, hereinafter called random value production 
means of the witness device, 

- computation means, hereinafter called means for the computation of 
commitments R of the witness device, to compute commitments R in the ring of the 
integers modulo n; each commitment being computed: 

• either by performing operations of the type: 
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Rsr^mod n 

where r is a random value produced by the random value production means, r being 
such that 0<r<n, 

• or by perfonning operations of the type: 

5 fti^rs^modpf 

where Ti is a random value associated with the prime numb«" p; such that 0 < rj < pi, 
each Fj belonging to a collection of random values {ri , ra ♦ rf} produced by the 
random value production means, then by applying the Chinese remainder method; 
said witness device also comprises: 

^0 - reception means hereinafter called the means for the reception of the 

challenges d of the witness device, to receive one or more challenges d; each 
challenge d comprising m integers dj hereinafter called elementary challenges; 

- computation means, hereinafter called means for the computation of the 
responses D of the witness device, for the computation, on the basis of each 

15 challenge d, of a response D, 

• either by performing operations of the type: 

D = r . Q, « . Qj ^. . . , Q„ mod n 

• or by performing operations of the type: 

»! = ri . . Q^*"™ mod p, 

20 and then by applying (he Chinese remainder method, 

- transmission means to transmit one or more commitmrats R and one or 
more responses D; 

there are as many responses D as there are challenges d as th^e are commitments R, 
each group of numbers d, D forming a triplet referenced {R, d, D)» 
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Ij: (Twice Amended) A terminal device according to claim 11, designed to prove 
the authenticity of an entity called a demonstrator to an entity called a controller, 
said terminal device being such that it comprises a demonstrator device associated with 
the demonstrator entity, said demonstrator device being interconnected with the witness 
device by interconnection means and being capable especially of taking the form of logic 
miciocircuits in a nomad objoct> for example the form of a microprocessor in a 
microprocessor-based bank card, 

said demonstrator device also comprising coimection means for its electrical, 
electromagnetic, optical or acoustic cormection, especially througji a data-processing 
communications network, to the controller device associated with the controller entity, 
said controller device especially taking the form of a terminal or remote server; 
said terminal device enabling the execution of the following steps; 

*Stepl: act of commitment R 
at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the method designed to prove to a controller 
entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all Or part of the private values Qi, Qi, Q„ and public values d, G2, . . . 
Gnu m being greater than or equal to 1 1 , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, p2> Pr, f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations, of the 
following type 

Gi* Qi^al .modnorGi^Qj^modd; 
V designating a public exponent such that 
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v = 2'' 

where k is a security parameter greater than 1 ; 

said public value d being the square gi^ of a base number g smaller than the f 
prime factors pi^ p2, pr ; the base number gi being such that the following two 
conditions are met: 
neither of the two equations: 

x^Bgimodn and x^s-gtmodn 
can be resolved in x in the ring of integers modulo n 
the equation: 

x'' = gi^ mod D 
can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime 
factors Pi and/or parameters of the Chinese remainders of the prime factors and/or the 
public modulus n and/or the m private values Qi and/or the f.m components Qi, j (Qi, j a 
Qi mod pj) of the private values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

Rnr^modn 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri « mod pi 

where n is a random value associated with the prime number pi such that 0 < ri < pi, each 
Ti belonging to a collection of random values {ti , , fr}, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m 
integers d\ hereinafter called elementary challenges; the witness, on the basis of each 
challenge d, computes a response D, 

• either by performing operations of the type; 
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D ^ r . Q, Qi mod n 

•or 

• • by perfomung operations of the type: 

Di ^ Fi . Qi,, . Qi,2 ^\ - Q,.i„ mod pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers d, D forming a triplet referenced {R, 
d,DK 

where as the witness device has transmission means, hereinafter called the transmission 
means of the witness device, to transmit aD or part of each commitment R to the 
demonstrator device through the interconnection means^ 

the demonstrator device also has transmission means, hereinafter called the transmission 
means of the demonstrator, to transmit all or part of each commitment R to the controller 
device, through the connection means; 

* Steps 2 and 3: act of challenge d, act of response D 
the means of reception of the challenges d of the witness device receive each challenge d 
coming from the controller device through the connection means between the controller 
device and the demonstrator device and through the interconnection means between the 
demonstrator device and the witness device, 

the means of computation of the responses D of the witness device compute the responses 
D from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q2, ... Qm and public values Gj, G2, ... 
Gnu being greater than or equal to 1 1 , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, p2, ... pr, f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

Gi . ^ 1 - mod n or Gi s Qi^ mod n; 
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V designating a public exponent such that 
where k is a security parameter greater than 1 ; 

said public value Gi being the square gi^ of a base number & smaller than the f 
prime factors pi, pa, pf ; the base number gi being such that the foUovving two 
conditions are met: 
neither of the two equations: 

= gi mod n and x^ ^ - gi mod n 

can be resolved in x in the ring of integers modulo d 
the equation: 

X* = gi^ mod n 
can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime 
factors Pi and/or parameters of the Chinese remainders of the prime factors and/or the 
public modulus n and/or the m private values Qi and/or the f-m components Qj, j (Qj, j s 
Qi mod pj) of the private values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo o; each 
commitment being computed: 

• either by performing operations of the type; . 

Rsr^mod n 
where r is a random value such that 0 < r< n, 
• or 

• • by performing operations of the type: 

= ri' mod pj 

where ri is a random value associated with the prime number pi such that 0 < n < pi, each 
n belonging to a collection of random values {n , r2 , ff}, 

• • then by £^)plying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m 
integers di hereinafter called elementary challenges; the witness, on the basis of each 
challenge d, computes a response D, 
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• either by perfomiing operations of the type: 

D s r , 02 . . . Q„ ^"^ mod n 

• or 

• • by perfonning operations of the type: 

Di s n . Qi,i - Qi^ ^. ... Qi,„, rood p^ 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are commitments each group of numbers d, D forming a triplet referenced {R, 

• Step 4: act of checking 

the transmission means of the demoiistrator transmit each response D to the controller 
that carries out the check. 

13. ( Twice Amended) Terminal device according to claim 11, designed to give 
proof to an entity, known as a controller, of the integrity of a message M associated with 
an entity known as a demonstrator, 

said terminal device being such that it comprises a demonstrator device associated with 
the demonstrator entity, said demonstrator device being interconnected with the witness 
device by interconnection means and being capable especially of taking the form of logic 
microcircuits in a nomad object, for example the form of a microprocessor in a 
microprocessor-based bank card, 

said demonstrator device comprising coimection means for its electrical, electromagnetic, 
optical or acoustic connection, especially through a data-processing communications 
network, to the controller device associated with the controller entity, said controller 
device especially taking the form of a terminal or remote server; 
said terminal device being used to execute the following steps: 

■ Step 1 : act of commitment R 
at each call, the means of computation of the corrunitments R of the witness device 
compute each commitment R by applying the method designed to prove to a controller 
entity. 
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- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q2» ... Qm and public values G], G^, ... 
Gm, m being greater than or equal to 1 1 , or of the parameters derived from these values, 

- a public modulxis n constituted by the product of f prime factors pi, P2, *. . pr, f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

Gi « Qi^ = 1 . mod n or Gi 5 Qi^ mod n; 

v designating a public exponent such that 

v-2'^ 

where k is a security parameter greater than 1 ; 

said public value Gj being the square gi^ of a base number gi smaller than the f 
prime factors pi, pi, ... Pf ; the base number gi being such that the following two 
conditions are met: 
neither of the two equations: 

x^Bgittiodn and x^^-gimodn 
can be resolved in x in the ring of integers modulo n 
the equation: 

x'' = gi^ mod n 
can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness havmg f prime 
factors Pi and/or parameters of the Chinese remainders of the prime factors and/or the 
public modulus n and/or the m private values Qi and/or the f.m components Qj, j (Qj, j = 
Qi mod pj) of the private values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

Rs r^mod n 
where r is a random value such that 0 < r< n, 
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• or 

• • by performing operations of the type: 

where Vi is a random value associated with the prime number pi such that 0 < ri < pi, each 
ri belonging to a collection of random values {ri , ri , rf}, 

• • then by ^plying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m 
integers di hereinafter called elementary challenges; the witness, on the basis of each 
challenge d, computes a response D, 

• either by performing operations of the type: 

D = r . Q2 . » Qm mod d 

• or 

• ♦ by performing operations of the type; 

Di = ri , Qu . Qi,2 . Qim mod pi 

• • and then by ^plying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of nxmibers R, d, D forming a triplet referenced {R^ 
d,D}; 

where as the witness device has means of transmission, hereinafter called the 
transmission means of the witness device, to transmit all or part of each commitment R to 
the demonstrator device through the interconnection means^ 

« Steps 2 and 3: act of cballcdge d, act of response D 
the demonstrator device comprises computation means, hereinafter called the 
computation means of the demonstrator, applying a hashing function b whose argimients 
are the message M and all or part of each conmiitment R to compute at least one token T, 
the demonstrator device also has transmission means, hereinafter known as the 
transmission means of the demonstrator device, to transmit each token T, through the 
connection means, to the controller device, 

said controller, after having received ihe token T, produces challenges d equal in niunber 
to the number of commitments R, 
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the means of reception of the challenges d of the witness device receive each challenge d 
coming from the controller device through the connection means between the controller 
device and the demonstrator device and through the interconnection means between the 
demonstrator device and the witness device, 

the means of computation of the responses D of the witness device compute the responses 
D from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Qz, Qm and public values Gi, Gj, . 
Gm, m being greater than or equal to 1 1, or of the parameters derived from these values, 

' a public modulus n constituted by the product of f prime factors pi, p?, pr, f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

Gi . Q/ s 1 . mod n or Gi s Qi^ mod n; 

v designating a pubUc exponent such that 

v = 2* 

where k is a security parameter greater than 1; 

said public value Gi being the square of a base number gi smaller than the f 
prime factors pi, p2> pr ; the base number gi being such that the following two 
conditions are met: 
neither of the two equations: 

x^sgimodn and x's-gimodn 
can be resolved in x in the ring of integers modulo n 
the equation: 

x"" « gi^ mod D 
can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime 
factors pi and/or parameters of the Chinese remainders of the prime factors and/or the 
pubUc modulus a and/or the m private values Qj and/or the f.m components Qi, j (Qj, j = 



3^ 
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Qi mod pj) of the private values Qi and of the public exponent v; 

- the witness computes commitnients R in the ring of the integers modulo n; each 
conunitment being computed: 

• either by performing operations of the type: 

R 5 r"" mod o 
where r is a random value such that 0 < r < n, 
•or 

• • by perfomiing operations of the type: 

Risri^mod pj 

where n is a random value associated with the prime number pi such that 0 < n < pi, each 
n belonging to a collection of random values {fi , rj , ... rr}, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m 
integers di hereinafter called elementary challenges; the witness, on the basis of each 
challenge d» computes a response D, 

• either by performing operations of the type: 

D3r.Q/'.Q2 *^..-.Q.n^'" modn 

• or 

• ■ by performing operations of the type: 

Di s n . Qi.i . Qi,2 Qum ^" mod p, 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers R^ d, D forming a triplet referenced {R, 
<1,D}. 

•Step 4: act of checking 

the transmission means of the demonstrator send each response D to the controller device 
which performs the check. 
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14. ( Twice Amended) Terminal device according to claim 11, designed to 

produce the digital signature of a message M, hereinafter known as the signed message^ 
by an entity called a signing entity; 
the signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 

said terminal device being such that it comprises a signing device associated with the 
signing entity, said signing device being interconnected with the witness device by 
interconnection means and possibly talcing especially the form of logic microcircuits in a 
nomad object, for example the fonn of a microprocessor in a microprocessor-based bank 
card, 

said demonstrator device comprising connection means for its electrical, electromagnetic, 
optical or acoustic connection, especially through a data-processing communications 
network, to the controller device associated with the controller entity, said controller 
device especially taking the form of a tenninal or remote server; 
Signing operation 

said terminal device being used to execute the following steps: 

• Step 1: act of commitment R 
at each call, the means of computation of the commitments R of the Avitneas device 
compute each commitment R by applying the method designed to prove to a controller 
entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Qiy ... Qm and public values d, G^, ... 
Gn» m being greater than or equal to 1 1, or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, p2, Pr> f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

^7 
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G| . Qi^ s 1 . mod n or Gi 5 mod n; 

V designating a public exponent such that 

where k is a security parameter greater than 1; 

said public value G| bdng the square gj^ of a base number gi smaller than the f 
prime factors pi, P2> Pr ; the base number g; being such that the following two 
conditions are met: 
neither of the two equations: 

s^ = gimodD and x^s-gjmodn 
can be resolved in x in the ring of integers modulo n 
the equation: 

s gi^ mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime 
factors Pi and/or parameters of the Chinese remainders of the prime factors and/or the 
public modulus n and/or the m private values Qi and/or the f.m components Qi, j (Qi, j « 
Qi mod pj) of the private values Qi and of the public exponent v; 

' the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = mod n 
where r is a random value such that 0 < r< n, 
• or 

• • by performing operations of the type: 

Ri = Vmad pi 

where rj is a random value associated with the prime number pi such that 0 < n < Pi. ©ach 
ri belonging to a collection of random values {ri , , ... rr}» 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m 
integers d| hereinafter called elementary challenges; the witness, on the basis of each 
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challenge d, computes a response D, 

• either by performing operations of the type: 

D = r . Q, - Q2 ''I . . . Qn, modn 

• or 

• • by performing operations of the type: 

D» s r, . Qm - Qi^ ... Qi^u, mod p, 

• • and then by applying the Chinese remainder method; 

said method being such that there are a$ many responses D as there are challenges d as 
there are commitments R, each group of numbers d, D forming a triplet referenced {R, 
d,DK 

where as the witness device has means of transmission, hereinafter called the 
transmission means of the witness device^ to transmit all or part of each conrniitment R to 
the signing device through the interconnection means, 

• Step 2: act of challenge d 

the signing device comprises computation means, hereinafter called the computation 
means of the signing device, applying a hashing function h whose arguments are the 
message M and all or part of each commitment R to compute a binary train and extract, 
fiiom this binary train, challenges d whose number is equal to the number of 
coirmutments R, 

• Step 3: act of response D 

the means for the reception of the challenges d of the witness device receive each 
challenge d coining from the signing device through the intercoimection means, 
the means for computing the responses D of the witness device compute the responses D 
from the challenges d by qjplying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Qz* Qm £ind public values G|, Gz, 
Gm, m being greater than or equal to 1 | , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, p^, ... pr, f 
being greater than or equal to 2; 
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said modulus^ said exponent and said values being related by relations of the 
following type 

Gi, Qr = 1 . mod n or G| = Qi^mod u; 
V designating a public exponent such that 

where k is a security parameter greater than 1 ; 

said public value Gj being the square gi^ of a base number gi smaller than the f 
prime factors pi, p2» Pf ; the base number gi being such that the following two 
conditions are met: 
neither of the two equations: 

x^^gimodn and x^a-gimodn 
can be resolved in x in the ring of integers modulo o 
the equation: 

x^ » gi^ mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f pnme 
factors pi and/or parameters of the Chinese remainders of the prime factors and/or the 
public modulus n and/or the m private values Qi and/or the f.m components Qi, j (Qi, j s 
Qi mod pj) of the private values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R s mod o 
where r is a random value such that 0 < r< n, 
■ or 

• • by performing operations of the type: 

Rj = ri^mod pi 

where ri is a random value associated with the prime number pi such that 0 < n < pi, each 
n belonging to a collection of random values {n , ra , rp}, 

• • then by applying the Chinese remainder method; 
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- the witness receives one or more challenges each challenge d comprising m 
integers di hereinafter called elementary challenges; the witness, on the basis of each 
challenge d, computes a response D, 

• either by perfoiming operations of the type; 

D - r - Q/^ Q2 . . . Qm '^'^ mod n 

• Or 

* • by performing operations of the type: 

Di s n . Qi,i . Qi4 ^. Qi^ mod pi 

• * and then by (^plying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are commitmmts R, each group of numbers R, d, D forming a triplet referenced {R^ 
d,D}, 

where as the witness device comprises transmission means, hereinafter called means of 
transmission of the witness device, to transmit the responses D to the signing device> 
through the interconnection means. 

15, Controller device especially taking the form of a terminal or remote 
s^er associated with a controller entity, designed to check: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with (his entity 
25 by means of: 

- m pairs of public values Gi, ... Gn, , m being greater than or equal to 1, 

- a public modulus n constituted by the product of said f prime factors pi> pit 
«,« Pf, f being greater than or equal to 2, unknown to the controller device and to the 
associated controller entity, 

30 said modulus and said values being related by relations of the type 
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G| . Qi"^ s 1 . mod n orG] = Qi^'mod n . 
where Q, designates a private value, unknown to the controller device, associated 
with the public value d, 
V designating a public exponent such that 

where k is a security parameter greater than 1 ; 

said public value G| being the square of a base number a smaller than the f prime 
factors Pi, p^, ... pf, the base number g, being such that the following conditions are 
met: 

10 neither of the two equations; 

s gimod n and ^ - gj rood n 
can be resolved in x in the ring of integers modulo n 
the equation: 

X* s mod n 

can be resolved in x in the ring of the integers modulo n. 

Controller device according to claim 15, designed to prove the 
authenticity of an entity called a demonstrator to an entity called a controller; 
said controller device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especially through a data-processing 
20 communications network, to a demonstrator device associated with the demonstrator 
entity; 

Sid controller device being used to execute the following steps: 

• Steps 1 and 2: act of commitment R, act of challenge d 
said controller device also has means for the reception of all or part of the 
25 commitments R coming from the demonstrator device through the connection means, 
the controller device has challenge production means for the production, after 
receiving all or part of each commitment R, of the challenges d in a number equal to 
Uie number of commitments R, each challenge d comprising m integers di 
hereinafter called elementarj' challenges. 
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the controller device also has transmission means, hereinafter called transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means; 

•Steps 3 and 4: act ofresponseD, act of checking 
S said controller device also comprises: 

- means for the reception of the responses D coming from the demonstrator 
device, through the connection means, 

- computation means, hereinafter called the computation means of the 
controller device, 

0 - comparison meanj, hereinafter called the comparison means of the 
controller device, 

case where the demonstrator has transmitted a part of each commitment R. 

if the reception means of the demonstrator have received a part of each commitment 

R, the computation means of the controller device, having m public values Gi, G2, 

1 G^, compute a reconstructed commitment R', from each challenge d and each 
response D, this reconstructed commitment R' satisfying a relationship of the type 

R' ^ Gi dl , G2 . G„ dm Dv mod n 

or a relationship of the type 

R' s Dv/Gi dl^G^dl, ... G„ dm . mod o 

the comparison means of the controller device compare each reconstructed 
commitment R' with all or part of each commitment R received. 
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case where the demonstrator has transmitted the totality of each 
conmiitment R 

if the transmission means of the demonstrator have received the totality of each 
commitment the computation means and the comparison means of the controller 
device^ having m public values Gj, G2, — , ascertain that each commitment R 
satisfies a relationship of the type 

R = Gi - G2 <^ . Gm . Dv mod n 
or a relationship of the type 

R = DV/Gj dl _G2«>2.„. Gmdm.modn 
17, Controller device according to claim 15, designed to give proof to an entity, 
known as a controller, of the integrity of a message M associated with an entity known as 
a demonstrator, 

said controller device comprising connection means for its electrical, electromagnetic, 
optical or acoustic connection, especially through a data-processing communications 
network, to a demonstrator device associated with the demotistrator entity, 
said system enabling the execution of the following steps: 

• Steps 1 and 2: act of commitment R, act of challenge d 

said controller device also has means for the reception of tokens T coming from the 
demonstrator device through the connection means, 

the controller device has challenge production means for the production, after having 
received the token T, of the challenges d in a number equal to the number of 
commitments R, each challenge d comprising m integers d^, herein after called 
elementary challenges, 

the controller device also has transmission means, hereinafter called the transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means; 

• Steps 3 and 4 : act of response act of checking 
the controller device also comprises: 

- means for the reception of the responses D coming from the demonstrator 
device, through the connection means, 

Hi 
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- computation means, hereinafter called the computation means of the controller 
device, having m public values Gji G2, Gm, to firstly compute a reconstructed 
commitment R*, from each challenge d and each response D, this reconstructed 
commitment R' satisfying a relationship of the type 

R' = Gi dl . G2 «"2 . ... Gn, - DV mod d 
or a relationship of the type 

R' = DV/Gi dl . G2 , ... Gm * mod n 
then, secondly, compute a token T' by ^plying the hashing function h having as 
arguments the message M and all or part of each reconstructed commitment R*, 
the controller device also comprises: 

- comparison means, hereinafter called the comparison means of the controller 
device, to compare the computed token T' with the received token T. 

18. Controller device according to claim 15, designed to prove the authenticity of 
the message M by checking a signed message by means of an entity called a controller; 
the signed message, sent by a signing device associated with a signing entity having a 
hashing function h (message, R), comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 
Checking operation 

said controller device comprising connection means for its electrical, electromagnetic, 
optical or acoustic connection, especially through a data-processing communications 
network, to a signing device associated with the signing entity, 

said controller device having received the signed message from the signed device, 
through the connection means, 
the controller device comprises: 

- computation means, hereinafter called the computation means of the controller 

device, 

- comparison means, hereinafter called the comparison means of the controller 

device; 
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• oa$e where the controUer device has comndtineiits R, challenges d, responses D 
if the controller has commitments R, challenges responses D, 

• • the computation and comparison means of the controller device ascertain that 
the commitments R, the challenges d and the responses D satisfy relationships of the type 

R = Gi ''l.G2*^-".Gm*'"-DVmodn 
or relationships of the type: 

R = DV/Gi dl , G2 «*2 . Gm . mod n 

• • the computation and comparison means of the controller device ascertain that 
the message M, the challenges d and the commitments R satisfy the hashing function 

d - h (message, R) 

• case where the controller device has challenges d and responses D 
if the controller device has challenges d and responses D, 

' • • the computation means of the controller, on the basis of each challenge d and 
each response D, compute commitments R' satisfying relationships of the type 
R' H- Gi , G2 . dm , DV „ 

or relationships of the type: 

R' «DV/Gi dl . G2 d2 . _ dm, niod n 

• • the computation and comparison means of the controller device ascertain that 
the message M and the challenges d satisfy the hashing function: 

d = h (message, R') 

• case where the controller device has commitments R and responses D 
if the controller device has commitments R and responses D, 

• • the computation means of the controller device ^ly the hashing function and 
compute d' such that 

d* h (message, R) 

• • the computation and comparison means of the controller device ascertain that 
the commitments R, the chaUenges d* and the responses D satisfy relationships of the 
type 

R = Gi . G2 . ... Gm . DV mod n 

or relationships of the type: 



R - DV/G, d'l . G2 d'2 . ... d'm . ^ 



